Vehicle occupant safety system and method for operating the same

ABSTRACT

A vehicle occupant safety system, in particular a restraining system such as an airbag, safety-belt tightener or the like, includes a sensor device having at least two sensors, a preprocessing device comprising at least two preprocessing circuits, for the sensor signals, a computing system and a trigger circuit including at least two stages, for a safety device. For providing a high degree of safety with relatively low costs, the computing system is constructed as a single-computer system in such a way that it processes the data of two preprocessing circuits in two programs with staggered timing with respect to one another.

FIELD OF THE INVENTION

The present invention relates to a vehicle occupant safety system, andin particular, a restraining system such as an airbag, safety-belttightener or the like, with a sensor device having at least two sensors,a preprocessing device comprising at least two preprocessing circuits,for the sensor signals, a computing system and a trigger circuit,including at least two stages, for a safety device.

BACKGROUND OF THE INVENTION

In safety systems such as restraining systems operating on an electronicbasis, the critical components, such as sensors, preprocessing circuits,and computers, and in particular, microcomputers for signal processing,may be provided in a redundant fashion, and in particular in duplicate.As a result of the redundancy provided, such known restraining systemsprovide increased safety. However, this is at the expense of highproduction costs since a relatively large number of components have tobe produced.

If redundancy is omitted in known safety systems, i.e., the systemcomponents are simply present once, the costs are indeed lowered, but alower safety level must then also be assumed. This results from thefacts that inappropriate triggerings of the vehicle occupant safetysystem may not to be ruled out, and that a triggering of the safetysystem may not occur when it is required.

European No. 0 283 737 describes a circuit arrangement for actuating aprotection system for vehicle occupants in which a safety system triggeris disposed in an airbag housing. A plurality of trigger switches areconnected in series with one another and in series with the trigger 10,the switches being driven by current sources with are loaded themselvesin turn by output signals from logic components. The output signals arefed as a function of the delay of switching double switches to inputterminals of the logic components connected in parallel. The functionsof the logic components can be taken over by correspondingly programmedmicrocomputers with corresponding peripherals. In the document, it isalso pointed out that for test purposes in each case one part of thetrigger switch can be periodically driven at particular intervals, itbeing also possible for this driving to be carried out by amicroprocessor.

SUMMARY OF THE INVENTION

The vehicle occupant safety system according to the present inventionprovides, approximately the same level of safety as a redundancy systemand yet saves considerable costs. The cost savings results from thefacts that the computing system used is a single-computer system, thatis, not a two-computer or multi-computer system, and that the datasupplied by the two preprocessing circuits is processed by the samecomputer (microcomputer) in two programs having staggered timing withrespect to one another, to provide a high level of reliability. Thisleads to a quasi-redundancy. Provided that the information on the twodata signal paths coming from the sensors or preprocessing circuitsdiffers considerably from one another, no triggering of the safetysystem occurs. The information processing is performed solely by onecomputer which is connected to a two-stage trigger circuit for thesafety device. Differences between the information on the two datasignal paths or the occurrence of errors lead to, for example, only asingle stage of the trigger circuit being activated so that triggeringof the safety system cannot occur since, for this purpose, theactivation of both stages is required. By means of the single-computersystem according to the present invention, not only are the costslowered but there remains approximately the same level of safety as in atwo-computer system because, for example, a fault in the execution ofone of the two programs having staggered timing with respect to theother leads to the other program also not being further executable, sothat the safety system is not triggered.

It is provided, in particular, that the respective starts of the twoprograms are initiated by means of two interrupt sources which areindependent from one another. Preferably, so-called timer interrupts areused.

The starting time of the first program is preferably n T and thestarting time of the second program is (2n+1)·(T/2), n being thesuccessive whole positive numbers and T constituting a processingperiod. As a result, it is ensured that within a processing period boththe first and the second program are always started at times which arestaggered with respect to one another.

In addition, according to the present invention, a watchdog circuit canbe provided which is triggered by the two programs and is connected to areset input of the computing system. The watchdog circuit must bealternately driven at certain times by both programs so that it does notsupply a pulse to the reset input of the computing system, i.e., doesnot reset the computing system. However, if irregularities or errorsoccur during the signal processing, which leads to an incorrecttriggering or failure of the triggering, a possible incorrect triggeringof the vehicle occupant safety system is avoided by means of theresetting of the computing system.

In particular, a window watchdog circuit can be used as the watchdogcircuit, i.e., the respective trigger signals must be located withinspecific time windows for satisfactory functioning.

In order to achieve a particularly high level of safety, the triggersignal is in each case generated in halves by the first and the secondprogram. In particular, it can be provided that the start of the oneprogram, in particular the second program, generates a rising edge, andthat the start of the other program, in particular the first program,generates a trailing edge of the trigger signal. Consequently, theaforesaid interrupt sources trigger, in each case at the abovementionedstarting times, the execution of the two programs which generate therising or trailing edge of the trigger signal so that a trigger signalconsisting of corresponding square-wave pulses is generated. The signalcontrols the watchdog circuit for the aforesaid monitoring function.

For a function to proceed correctly, it is necessary that the firstprogram is ended before the second program starts. For safety reasons,it can be provided that the one program tests the termination of theother program. In particular, each program can have an end identifierwhich is monitored by the other program. In addition, the presentinvention provides a method for operating a vehicle occupant safetysystem, and in particular a restraining system, such as an airbag,safety-belt tightener or the like, with a sensor device having at leasttwo sensors, a preprocessing device comprising at least twopreprocessing circuits, for the sensor signals, a computing system and atrigger circuit including at least two stages, for a safety device. Thecomputing system may be constructed as a single-computer systemprocessing the data of the two preprocessing circuits in two programswith staggered timing with respect to one another.

A triggering of the trigger circuit occurs only if its two stages areactivated based on of an identical or approximately identical result ofthe execution of both programs.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a trigger circuit of a vehicle occupantsafety system according to the present invention.

FIG. 2 shows a diagram of the sequence of program execution and thetrigger signal of the safety systems of FIG. 1.

DETAILED DESCRIPTION

In FIG. 1, component of a vehicle occupant safety system these is showna, specifically a drive circuit 1. The portion of the vehicle occupantmay include a be a restraining system such as an airbag, safety-belttightener or the like. Safety systems of this kind are triggeredelectrically, i.e., they have an electrically firable firing cap which,in the case of an airbag, fires a propellant charge which generates thegas pressure to fill up the impact cushion.

According to FIG. 1, the drive circuit 1 has a sensor device 2 whichincludes two sensors 3 and 4. The sensors 3 and 4 are connected vialines 5 and 6 to a preprocessing device 7 which has a preprocessingcircuit 8 and a preprocessing circuit 9. The preprocessing circuit 8cooperates with the sensor 3 and the preprocessing circuit 9 cooperateswith the sensor 4. The preprocessing circuits 8 and 9 are connected to acomputing system 12 via lines 10 and 11. The computing system 12 isconstructed as a microcomputer 13 in which the signal processingprocesses 14 (P1) and 15 (P2) proceed with staggered timing. The signalprocessing process 14 is connected via the line 16 to the triggercircuit 18, which has two components 19 and 20, and the signalprocessing process 15 is connected via the line 17 to the triggercircuit 18.

In addition, a window watchdog circuit 23 is provided, the inputs 24 and25 of which are connected to the signal processing processes 14 and 15via the lines 26 and 27. An output 28 of the window watchdog circuit 23is connected to a reset input 29 of the microcomputer 13.

The circuit in FIG. 1 operates as follows:

Sensors 3 and 4 monitor the driving state of the vehicle (not shown),e.g., with respect to its acceleration. The accelerations detected bythe sensors pass via the lines 5 and 6 to the preprocessing circuits 8and 9. The preprocessed data is subsequently fed via the lines 10 and 11to the microprocessor 13, which forms, according to the presentinvention, a single-computer system 12, that is to say, in contrast tothe components 3, 4; 8, 9; 19, 20 the microprocessor 13 is present onlyonce. It processes the information received via the data signal paths 31and 32 in the two signal processing processes 14 (Pl) and 15 (P2).

According to the present invention, the data originating from the twopreprocessing circuits 8 and 9 are processed by means of two programs(first program P1, second program P2) which have staggered timing withrespect to one another.

This is shown in greater detail in FIG. 2. In the top part of FIG. 2 itcan be seen that the two programs Pl and P2 proceed with a staggeredtiming with respect to one another. Accordingly, the program sequenceis: P1, P2, P1, P2, P1 etc. The starting times of the programs P1 and P2are generated by two interrupt sources IQ1 and IQ2 which are independentfrom one another. When the timer interrupt IQ1 occurs the program P1starts and when the timer interrupt IQ2 occurs the program P2 starts.

The starting points of the programs P1 and P2 are determined by thefollowing relations:

The starting time T1 of the first program P1 is

    T1=n·T

and the starting time T2 of the second program P2 is

    T2=(2n+1)·(T/2),

where n is the successive whole positive numbers and T constitutes aprocessing period.

Within a processing period T, both the program P1 and the program P2 areexecuted. The respective starting times of the two programs areaccording to the relations above:

where n=1 : T1=T, T2=3T/2

where n=2 : T1=2T, T2=5T/2

where n=3 : T1=3T, T2=7T/2 etc.

Consequently, the two programs P1 and P2 start alternately with thetiming interval T/2. This is tested by the window watchdog circuit 23.In the case of deviations, the window watchdog circuit 23 transmits toits output 28 a reset pulse which is applied to the reset input 29 ofthe microcomputer 13. This leads to a resetting of the computing system12 so that incorrect triggerings of the vehicle occupant safety systemare avoided.

In particular, the arrangement is constructed in such a way that atrailing edge is transmitted with the start of the signal processingprocess 14 (P1) and a rising edge is transmitted with the start of thesignal processing process 15 (P2), the edges passing via the lines 26and 27 to the inputs 24 and 25 as trigger signals to the window watchdogcircuit 23. If the programs P1 and P2 start alternately with the timinginterval T/2, no reset pulse occurs at the output 28 of the windowwatchdog circuit 23. If irregularities are present in the triggering ora failure occurs, resetting of the microcomputer 13 is performed, aspreviously described.

The trigger signal U_(wd) (t) generated in the manner described is shownin the bottom part of FIG. 2.

If error-free signal processing occurs in a case of triggering, the twotrigger stage components 19 and 20 are driven via the lines 16 and 17.The components have controllable switching elements which are located inseries with a firing cap of the vehicle occupant safety systemconstructed as an airbag, so that a switching through of these switchingelements leads to the firing of the firing cap and thus to triggering.

If an improper function occurs or, for example, a program execution isfaulty, the reset impulse of the window watchdog circuit 23 preventstriggering of the vehicle occupant safety system. If an error occurs inone of the data signal paths 31 and 32, only one trigger stage component19 or 20 is activated so that, likewise, triggering of the safety systemcannot occur. For safety purpose, it is additionally provided that oneprogram, for example P1, tests the termination of the other program, forexample P2, and vice versa. This occurs by virtue of the fact that eachprogram P1, P2 has an end identifier which is monitored by the otherprogram P2, P1. Thus, for example, the program P2 tests whether theprogram P1 has finished before the time 3T/2 (as shown in FIG. 2).

We claim:
 1. A safety system for activating a restraining device of avehicle, comprising:at least two sensors, each sensor generating arespective sensor signal; at least two preprocessing circuits, eachpreprocessing circuit coupled to a respective sensor for receiving therespective sensor signals and for generating respective preprocessingsignals based thereon; a computing system coupled to the preprocessingcircuits for continuously processing the preprocessing signals inrespective programs which are executed during respective time intervalswhich are staggered with respect to one another, and starting at timeswhich are determined based on respective independent interrupts; and atleast two trigger circuit components coupled to the computing system foractivating the restraining device.
 2. The safety system as recited inclaim 1, wherein the times at which execution of the respective programsstart are n·T and (2n+1)·(T/2), respectively, n being positive integers,and T being a processing period.
 3. The safety system as recited inclaim 1, further comprising a watchdog circuit triggered by a triggersignal generated by the programs, and coupled to a reset input of thecomputing system.
 4. The safety system as recited in claim 3, whereinthe watchdog circuit is a window watchdog circuit.
 5. The safety systemas recited in claim 3, wherein each of the program generates half of thetrigger signal.
 6. The safety system as recited in claim 3, wherein thetime at which execution of one program starts corresponds to the risingedge of the trigger signal, and the time at which execution of the otherprogram starts corresponds to the trailing edge of the trigger signal.7. The safety system as recited in claim 1, wherein the execution ofeach program ends before the execution of the other program begins. 8.The safety system as recited in claim 7, wherein each program tests forthe end of the other program.
 9. The safety system as recited in claim8, wherein each program has an end identifier which is monitored by theother program.
 10. The safety system as recited in claim 1, wherein therestraining device is activated only if the executions of the programsproduce approximately identical results.
 11. A method for activating arestraining device of a vehicle, comprising the steps of:generating arespective sensor signal with each of at least two sensors;preprocessing the sensor signals with respective preprocessing circuitscoupled to each of the at least two sensors and generating respectivepreprocessing signals based thereon; continuously processing with acomputing system the preprocessing signals in respective programs whichare executed during respective time intervals which are staggered withrespect to one another, and starting at times which are determined basedon respective independent interrupts; and activating the restrainingdevice using at least two trigger circuit components coupled to thecomputing system.
 12. The method as recited in claim 11, wherein thetimes at which execution of the respective programs start are n . T and(2n+1)·(T/2), respectively, n being positive integers, and T being aprocessing period.
 13. The method as recited in claim 11, furthercomprising the steps of:triggering a watchdog circuit with a triggersignal generated by the programs; and resetting the computing systemwith the watchdog circuit if the programs fail to properly trigger thewatchdog circuit.
 14. The method as recited in claim 13, wherein thewatchdog circuit is a window watchdog circuit.
 15. The method as recitedin claim 13, wherein each of the programs generates half of the triggersignal.
 16. The method as recited in claim 13, wherein the time at whichexecution of one program starts corresponds to the rising edge of thetrigger signal, and the time at which execution of the other programstarts corresponds to the trailing edge of the trigger signal.
 17. Themethod as recited in claim 11, wherein the execution of each programends before the execution of the other program begins.
 18. The method asrecited in claim 17, wherein each program tests for the end of the otherprogram.
 19. The method as recited in claim 18, wherein each program hasan end identifier which is monitored by the other program.
 20. Themethod as recited in claim 11, wherein the activating step is performedonly if the executions of the programs produce approximately identicalresults.